Verizon Fixes Serious Securty Flaw In FiOS
Comments Off on Verizon Fixes Serious Securty Flaw In FiOS
Verizon corrected a serious vulnerability in its My FiOS mobile application that granted unfettered access to email accounts, according to a developer who found the problem.
Randy Westergren, a senior software developer with XDA Developers, looked at the Android version of My FiOS, which is used for account management, email and scheduling video recordings.
“Since Verizon has a good amount of my information, I thought it would be a good candidate for research,” Westergren wrote on his personal blog. “I was right, and the results were astonishing.”
The flaw, contained in the application’s API, could have allowed an attacker to read individual messages from a person’s Verizon inbox and even send emails from an account, he wrote.
Westergren looked at the traffic sent back and forth between My FiOS and Verizon’s servers. He found My FiOS would return the content of someone else’s email inbox by simply substituting a different user ID in a request.
He contacted Verizony, which later acknowledged the problem. Verizon issued a fix last Friday, Westergren wrote.
“Verizon’s security group seemed to immediately realize the impact of this vulnerability and took it very seriously,” Westergren wrote. “They were very responsive during this process and even arranged for a free year of FiOS Internet service as a token of their gratitude.”
Google Moves To Drop CAPTCHA
December 16, 2014 by admin
Filed under Around The Net
Comments Off on Google Moves To Drop CAPTCHA
Google announced that it is trying to get rid of those annoying CAPTCHAs required by websites, which is short for Completely Automated Public Turing test to tell Computers and Humans Apart.
Instead of requiring that users fill in the letters and numbers shown in a distorted image, sites that use Google’s reCAPTCHA service will be able to use just one click, answering a simple question: Are you a robot?
“reCAPTCHA protects the websites you love from spam and abuse,” wrote Vinay Shet, product manager for Google’s reCAPTCHA service, in a blog post. “For years, we’ve prompted users to confirm they aren’t robots by asking them to read distorted text and type it into a box… But, we figured it would be easier to just directly ask our users whether or not they are robots. So, we did! ”
Google on Wednesday began rolling out a new API that rethinks the reCAPTCHA experience.
CAPTCHA “can be hard to read and frustrating for people, particularly on mobile devices,” said Zeus Kerravala, an analyst with ZK Research. “People often have to put in the text several times. On the surface, this seems a good way to improve the user experience. It still requires human intervention, just something simpler.”
CAPTCHAs were created to foil computer programs that hackers or spammers use to troll for access to websites or to collect email addresses.
Google said CAPTCHAs are less useful than they have been, although they are still frustrating to everyday users.
“CAPTCHAs have long relied on the inability of robots to solve distorted text,’ wrote Shet. “However, our research recently showed that today’s artificial intelligence technology can solve even the most difficult variant of distorted text at 99.8% accuracy. Thus distorted text, on its own, is no longer a dependable test.”
The new API, along with Google’s ability to analyze a user’s actions — before, during, and after clicking on the reCAPTCHA box — let’s the new technology figure out if the user is human or not.
“The new API is the next step in this steady evolution,” Shet stated. “Now humans can just check the box and in most cases, they’re through the challenge.”
LinkedIn DropS BWP API
February 18, 2013 by admin
Filed under Around The Net
Comments Off on LinkedIn DropS BWP API
LinkedIn has shut off its API access to “Bang With Professionals,” a Web service that was intended to facilitate more, say, intimate connections among users of the business-oriented social networking site.
The service was designed to allow LinkedIn users to anonymously search for people in their LinkedIn network who would be interested in meeting up for casual sex.
“We all had a good laugh,” the founders of Bang With Professionals said on last Friday on the website, less than a month after its launch. “We all knew it was a matter of time before our API key was revoked.”
LinkedIn said it shut off API (application programming interface) access for the free site, which was intended to work on all desktops and mobile devices, because it violated the social network’s terms of use in a manner that was “inconsistent with the goals of our developer program.”
Among other things, API access isn’t allowed for any application that contains or displays adult content.
Data about the site’s 6,000 subscribers is safe and all their user IDs have been deleted, the founders said. The only thing that remains now is the site’slanding page.
The origins of Bang With Professionals are not unique in the fast-paced social networking landscape. The site was built “by two guys in three days,” the landing page says. The total launch cost was US$57: $40 for stock images, $12 for the domain name and $5 for an account on the server CloudFlare.
The Twitter handle for the site has since been deactivated, but at press time, the Bang With Professionals blog on Tumblr was still accessible.
Yahoo Messenger Flaw Exposed
December 10, 2011 by admin
Filed under Around The Net
Comments Off on Yahoo Messenger Flaw Exposed
An unpatched Yahoo Messenger vulnerability that allows hackers to change people’s status messages and possibly perform other unauthorized functons can be exploited to spam malicious links to a large number of users.
The flaw was discovered in the wild by security researchers from antivirus vendor BitDefender while investigating a customer’s report about unusual Yahoo Messenger behavior.
The flaw appears to be located in the application’s file transfer API (application programming interface) and allows attackers to send malformed requests that result in the execution of commands without any interaction from victims.
“An attacker can write a script in less than 50 lines of code to malform the message sent via the YIM protocol to the attacker,” said Bogdan Botezatu, an e-threats analysis & communication specialist at BitDefender.
“Status changing appears to be only one of the things the attacker can abuse. We’re currently investigating what other things they may achieve,” he added.
Victims are unlikely to realize that their status messages have changed and if they use version 11.5 of Yahoo Messenger, which supports tabbed conversations, they might not even spot the rogue requests, Botezatu said.
This vulnerability can be leveraged by attackers to earn money through affiliate marketing schemes by driving traffic to certain websites or to spam malicious links that point to drive-by download pages.